Advertisement

Intego reporting new OS X trojan horse in the wild

Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an OS X-specific Trojan horse showing up on some sites and forums. The bit of nasty, which Intego is calling OSX.RSPlug.A and other sources refer to as DNSchanger or Ultracodec/Zlob (Windows version), is delivered on the pretense of installing a QuickTime codec necessary to view adult videos. Once the .dmg is downloaded and the installer is run (with administrative permissions), rather than a new video codec you've got rogue DNS server settings + a cron job that continually sets your DNS back to the bogus entries. Making matters worse, on Tiger the fake DNS settings are invisible in the Network system preference pane.

These fake DNS entries might mislead your machine to spyware sites (unlikely to affect your Mac), pay-per-click search engines (annoying but not dangerous), more pornography (potentially troublesome), or -- and this is really the problem -- Potemkin versions of financially sensitive sites like PayPal, eBay or banks, which would presumably capture your login credentials before handing you off to the genuine article.

While at least one unfortunate poster at Apple's support forum has been bitten by this malware, some simple precautions -- turning off "Open Safe Files" in Safari and, hmm, I dunno, not installing software downloaded from pornography sites -- will go a long way toward preventing the spread of this malware. Remember, a Trojan does not self-distribute; this code depends on user behavior as the vector of infection, so behave.

Update:
Rob Griffiths at Macworld has posted helpful detection and removal instructions for the Trojan.

via MacTech